feat(report): add location.message to SARIF output (#3002) (#3003)

Signed-off-by: Craig Andrews <candrews@integralblue.com> Co-authored-by: AMF <work@afdesk.com>
aquasecurity · Oct 12, 2022 · d35c668 · d35c668
1 parent 2150ffc
commit d35c668
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 1 deletion.
diff --git a/integration/testdata/alpine-310.sarif.golden b/integration/testdata/alpine-310.sarif.golden
@@ -88,6 +88,9 @@
                   "endLine": 1,
                   "endColumn": 1
                 }
+              },
+              "message": {
+                "text": "testdata/fixtures/images/alpine-310.tar.gz: libcrypto1.1@1.1.1c-r0"
               }
             }
           ]
@@ -112,6 +115,9 @@
                   "endLine": 1,
                   "endColumn": 1
                 }
+              },
+              "message": {
+                "text": "testdata/fixtures/images/alpine-310.tar.gz: libcrypto1.1@1.1.1c-r0"
               }
             }
           ]
@@ -136,6 +142,9 @@
                   "endLine": 1,
                   "endColumn": 1
                 }
+              },
+              "message": {
+                "text": "testdata/fixtures/images/alpine-310.tar.gz: libssl1.1@1.1.1c-r0"
               }
             }
           ]
@@ -160,6 +169,9 @@
                   "endLine": 1,
                   "endColumn": 1
                 }
+              },
+              "message": {
+                "text": "testdata/fixtures/images/alpine-310.tar.gz: libssl1.1@1.1.1c-r0"
               }
             }
           ]

diff --git a/pkg/report/sarif.go b/pkg/report/sarif.go
@@ -56,6 +56,7 @@ type sarifData struct {
 	url              string
 	resultIndex      int
 	artifactLocation string
+	locationMessage  string
 	message          string
 	cvssScore        string
 	startLine        int
@@ -104,7 +105,7 @@ func (sw *SarifWriter) addSarifResult(data *sarifData) {
 		WithRuleIndex(data.resultIndex).
 		WithMessage(sarif.NewTextMessage(data.message)).
 		WithLevel(toSarifErrorLevel(data.severity)).
-		WithLocations([]*sarif.Location{sarif.NewLocation().WithPhysicalLocation(location)})
+		WithLocations([]*sarif.Location{sarif.NewLocation().WithMessage(sarif.NewTextMessage(data.locationMessage)).WithPhysicalLocation(location)})
 	sw.run.AddResult(result)
 }
 
@@ -148,6 +149,7 @@ func (sw SarifWriter) Write(report types.Report) error {
 				url:              vuln.PrimaryURL,
 				resourceClass:    string(res.Class),
 				artifactLocation: path,
+				locationMessage:  fmt.Sprintf("%v: %v@%v", path, vuln.PkgName, vuln.InstalledVersion),
 				resultIndex:      getRuleIndex(vuln.VulnerabilityID, ruleIndexes),
 				fullDescription:  html.EscapeString(fullDescription),
 				helpText: fmt.Sprintf("Vulnerability %v\nSeverity: %v\nPackage: %v\nFixed Version: %v\nLink: [%v](%v)\n%v",
@@ -167,6 +169,7 @@ func (sw SarifWriter) Write(report types.Report) error {
 				url:              misconf.PrimaryURL,
 				resourceClass:    string(res.Class),
 				artifactLocation: target,
+				locationMessage:  target,
 				startLine:        misconf.CauseMetadata.StartLine,
 				endLine:          misconf.CauseMetadata.EndLine,
 				resultIndex:      getRuleIndex(misconf.ID, ruleIndexes),
@@ -188,6 +191,7 @@ func (sw SarifWriter) Write(report types.Report) error {
 				url:              builtinRulesUrl,
 				resourceClass:    string(res.Class),
 				artifactLocation: target,
+				locationMessage:  target,
 				startLine:        secret.StartLine,
 				endLine:          secret.EndLine,
 				resultIndex:      getRuleIndex(secret.RuleID, ruleIndexes),

diff --git a/pkg/report/sarif_test.go b/pkg/report/sarif_test.go
@@ -96,6 +96,7 @@ func TestReportWriter_Sarif(t *testing.T) {
 					Message:   sarif.Message{Text: toPtr("Package: foo\nInstalled Version: 1.2.3\nVulnerability CVE-2020-0001\nSeverity: HIGH\nFixed Version: 3.4.5\nLink: [CVE-2020-0001](https://avd.aquasec.com/nvd/cve-2020-0001)")},
 					Locations: []*sarif.Location{
 						{
+							Message: &sarif.Message{Text: toPtr("library/test: foo@1.2.3")},
 							PhysicalLocation: &sarif.PhysicalLocation{
 								ArtifactLocation: &sarif.ArtifactLocation{
 									URI:       toPtr("library/test"),
@@ -149,6 +150,7 @@ func TestReportWriter_Sarif(t *testing.T) {
 					Message:   sarif.Message{Text: toPtr("Artifact: library/test\nType: \nVulnerability KSV001\nSeverity: HIGH\nMessage: Message\nLink: [KSV001](https://avd.aquasec.com/appshield/ksv001)")},
 					Locations: []*sarif.Location{
 						{
+							Message: &sarif.Message{Text: toPtr("library/test")},
 							PhysicalLocation: &sarif.PhysicalLocation{
 								ArtifactLocation: &sarif.ArtifactLocation{
 									URI:       toPtr("library/test"),
@@ -171,6 +173,7 @@ func TestReportWriter_Sarif(t *testing.T) {
 					Message:   sarif.Message{Text: toPtr("Artifact: library/test\nType: \nVulnerability KSV002\nSeverity: CRITICAL\nMessage: Message\nLink: [KSV002](https://avd.aquasec.com/appshield/ksv002)")},
 					Locations: []*sarif.Location{
 						{
+							Message: &sarif.Message{Text: toPtr("library/test")},
 							PhysicalLocation: &sarif.PhysicalLocation{
 								ArtifactLocation: &sarif.ArtifactLocation{
 									URI:       toPtr("library/test"),
@@ -263,6 +266,7 @@ func TestReportWriter_Sarif(t *testing.T) {
 					Message:   sarif.Message{Text: toPtr("Artifact: library/test\nType: \nSecret AWS Secret Access Key\nSeverity: CRITICAL\nMatch: 'AWS_secret_KEY'=\"****************************************\"")},
 					Locations: []*sarif.Location{
 						{
+							Message: &sarif.Message{Text: toPtr("library/test")},
 							PhysicalLocation: &sarif.PhysicalLocation{
 								ArtifactLocation: &sarif.ArtifactLocation{
 									URI:       toPtr("library/test"),